Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton
Dec 9th 2021
Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization.
Proof of Concept
- 1.Start a new web conference and share the link with other people
- 2.A malicious user joins the conference with the following username:
- 3.As soon as the malicious user types on the "Shared notes" section (and the victim has the "Shared notes" section open) an alert popup is shown on the target user (in this case showing the
User inputs should be always sanitized against such attacks to prevent attackers injecting malicious code. Is also important to perform output encoding in order to prevent unwanted code execution.